September is National Preparedness Month. Historically, this month has been promoted to bring focus to readiness for natural disasters such as hurricanes, tornadoes, and flooding. As we head into the peak of the Atlantic hurricane season, wildfires and flash flooding have captured the headlines.
In today’s threat landscape, any financial institution (FI) likely has a higher probability of a cyber event than a naturally occurring disaster – so it’s no coincidence that October is National Cyber Security Awareness Month. As responsible C-Suite and IT representatives, we recognize our responsibility to our FI and our customers to be prepared for both!
As members of the C-Suite, we need to be prepared to ask tough questions of our IT management and staff. After all, according to our regulatory and compliance agencies, the burden of readiness and recovery resides with the C-Suite, as do the penalties for failure.
As a primer for your Q&A with IT, start with these questions:
- When was our last disaster recovery (DR) test?
- Did we test everything? If no, what didn’t we test and why?
- Of what was tested, what worked and what didn’t?
- Did we test with the backups that would realistically be available in a disaster?
- What were our actual recovery times per application versus our recovery time objectives (RTO)?
- What were our recovery points per application vs. our recovery point objectives (RPO)?
- Look closely for gaps between the RTO, RPO, and what was achieved. Are those gaps you can live with?
As IT management and staff, we also have a responsibility to be prepared. As the C-Suite engages you in dialogue regarding the above questions, you should be prepared to give them open, honest, transparent answers. Political correctness has no place in this conversation. After all, we’re talking about keeping the FI viable, and in most cases, we’re also talking about the availability of your funds following an event. You do bank where you work, don’t you?
IT management and staff need to think through the following:
- Are our documented RTOs and RPOs achievable with the technology we have in place today? If not, how quickly can we get there? Is it more than one budget cycle?
- During our last DR test, did we test everything, simulating a complete site down event?
- Do we have everything backed up in such a way that we can easily coordinate the recovery of multiple systems simultaneously?
- If something happened, is there adequate, qualified operations personnel to assist in the recovery and subsequent ongoing operation of the FI?
At the end of the day, whether in IT or the C-Suite, the goal is to stay out of the hot seat and keep the FI’s operations running regardless of the scenario. While we tend to think that a natural disaster would pose a greater disruption to day to day operations, what impact would a cyber event have on your FI? True preparedness and organizational resilience aren’t achieved through “check the box” testing or feel good conversations. Your customers don’t care “how the sausage is made.” They just care that when they show up, whether that’s at the branch, online, or through a predictable mobile experience, the “sausage” is available and tastes good.
The sausage making of DR isn’t easy in today’s increasingly complex IT environment. As “That Pesky Doorbell” reminded us a few weeks ago, you don’t have to go it alone. There’s a trusted provider out there that eats, sleeps, and breathes DR 24x7x365. Remember, your customers are expecting good tasting sausage, whenever they want it. If they can’t consistently get it from you, they probably won’t hesitate to go someplace else.